Fist commit of new role-action mapping implementation for v5.5. All t…

…ests pass. Role Action Mapping xml file for EGI.
jrha · Sep 22, 2015 · 229a0e8 · 229a0e8
1 parent 1dc0ee1
commit 229a0e8
Show file tree

Hide file tree

Showing 41 changed files with 797 additions and 704 deletions.
diff --git a/config/RoleActionMappings.xml b/config/RoleActionMappings.xml
@@ -42,6 +42,24 @@
         </RoleMapping>
     </RoleActionMapping> 
 
+<!--    <RoleActionMapping> 
+        <TargetProject>DaveProject</TargetProject> 
+        <RoleNames over="Project">
+            <Role id="dEGI_CSIRT_OFFICER">dEGI CSIRT Officer</Role>
+            <Role id="dCOO">dChief Operations Officer</Role>
+        </RoleNames>  
+        <RoleNames over="Ngi">
+            <Role id="dNGI_OPS_MAN">dNGI Operations Manager</Role>
+            <Role id="dNGI_OPS_DEP_MAN">dNGI Operations Deputy Manager</Role>
+            <Role id="dNGI_SEC_OFFICER">dNGI Security Officer</Role>
+        </RoleNames>
+        <RoleNames over="Site"> 
+            <Role id="dSITE_ADMIN">dSite Administrator</Role>
+            <Role id="dSITE_SECOFFICER">dSite Security Officer</Role>
+        </RoleNames> 
+    </RoleActionMapping>-->
+
+
     <RoleActionMapping> 
         <TargetProject>EGI</TargetProject> 
 

diff --git a/htdocs/web_portal/controllers/downtime/add_downtime.php b/htdocs/web_portal/controllers/downtime/add_downtime.php
@@ -162,8 +162,7 @@ function draw(\User $user = null) {
 	// If the user wants to add a downtime to a specific site, show only that site's SEs
 	else if(isset($_GET['site'])) {
 		$site = \Factory::getSiteService()->getSite($_GET['site']);
-	    //old way: \Factory::getSiteService()->edit Authorization($site, $user);
-        if(count(\Factory::getSiteService()->authorizeAction(\Action::EDIT_OBJECT, $site, $user))==0){
+        if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $site, $user) == FALSE){
            throw new \Exception("You don't have permission over $site"); 
         }
 		$ses = $site->getServices();
@@ -177,7 +176,7 @@ function draw(\User $user = null) {
 	else if(isset($_GET['se'])) {
 	    $se = \Factory::getServiceService()->getService($_GET['se']);
         $site = \Factory::getSiteService()->getSite($se->getParentSite()->getId());
-        if(count(\Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user))==0){
+        if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $se->getParentSite(), $user) == FALSE){
            throw new \Exception("You do not have permission over $se."); 
         } 
 
@@ -202,7 +201,7 @@ function draw(\User $user = null) {
             $sesAll = \Factory::getRoleService()->getReachableServicesFromOwnedObjectRoles($user);
             // drop the ses where the user does not have edit permissions over  
             foreach($sesAll as $se){
-                if(count(\Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user))>0){ 
+                if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $se->getParentSite(), $user)){ 
                     $ses[] = $se; 
                 }
             }

diff --git a/htdocs/web_portal/controllers/downtime/edit_downtime.php b/htdocs/web_portal/controllers/downtime/edit_downtime.php
@@ -62,7 +62,7 @@ function draw(\User $user = null) {
 
     // check that this downtime is eligible for editing, throws exception if not.  
     $serv->editValidationDatePreConditions($dt); 
-    $serv->authorization($dt->getServices(), $user);
+    $serv->authorisation($dt->getServices(), $user);
 
     $nowUtcDateTime = new \DateTime(null, new \DateTimeZone("UTC"));
     $twoDaysAgoUtcDateTime = $nowUtcDateTime->sub(\DateInterval::createFromDateString('2 days'));

diff --git a/htdocs/web_portal/controllers/ngi/edit_ngi.php b/htdocs/web_portal/controllers/ngi/edit_ngi.php
@@ -50,11 +50,13 @@ function draw(\User $user = null) {
     if (!isset($_REQUEST['id']) || !is_numeric($_REQUEST['id']) ){
         throw new Exception("An id must be specified");
     }
-    $serv = \Factory::getNgiService();
-    $ngi = $serv->getNgi($_REQUEST['id']);
+    $ngi = \Factory::getNgiService()->getNgi($_REQUEST['id']);
 
-    // Old way: //$serv->edit Authorization($ngi, $user);
-    if(count($serv->authorizeAction(Action::EDIT_OBJECT, $ngi, $user)) == 0){ 
+    if($user == null){
+       throw new Exception('You do not have permission to edit this NGI, null user'); 
+    }
+    //if(count($serv->authorize Action(Action::EDIT_OBJECT, $ngi, $user)) == 0){ 
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsoute(Action::EDIT_OBJECT, $ngi, $user) == FALSE){
         throw new Exception('You do not have permission to edit this NGI');
     }
 

diff --git a/htdocs/web_portal/controllers/ngi/view_ngi.php b/htdocs/web_portal/controllers/ngi/view_ngi.php
@@ -51,11 +51,12 @@ function view_ngi() {
     $ngi = $ngiServ->getNgi($ngiId);
 
     // Does current viewer have edit permissions over NGI ?
-    $params['ShowEdit'] = false;  
-    if(count($ngiServ->authorizeAction(\Action::EDIT_OBJECT, $ngi, $user))>=1){
-       $params['ShowEdit'] = true;  
-    } 
-
+    $params['ShowEdit'] = false;
+    //if(count($ngiServ->authorize Action(\Action::EDIT_OBJECT, $ngi, $user))>=1){
+    if (\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $ngi, $user))  {
+        $params['ShowEdit'] = true;
+    }
+
     // Add ngi to params 
 	$params['ngi'] = $ngi;
 

diff --git a/htdocs/web_portal/controllers/political_role/request_role.php b/htdocs/web_portal/controllers/political_role/request_role.php
@@ -30,12 +30,14 @@
  */
 function request_role() {   
     $user = \Factory::getUserService()->getUserByPrinciple(Get_User_Principle());
-    if($user == null) throw new Exception("Unregistered users can't request roles"); 
+    if($user == null) {
+        throw new Exception("Unregistered users can't request roles"); 
+    }
 
     //Check the portal is not in read only mode, returns exception if it is and user is not an admin
     checkPortalIsNotReadOnlyOrUserIsAdmin($user);
 
-// If we receive a POST request it's for a new role
+    // If we receive a POST request it's for a new role
     if(isset($_REQUEST['Role_Name_Value']) && isset($_REQUEST['Object_ID']) ) {     
         submitRoleRequest($_REQUEST['Role_Name_Value'], $_REQUEST['Object_ID'], $user);
 
@@ -54,15 +56,21 @@ function request_role() {
  * @param int $entityId
  */
 function drawViewRequestRole($entityId, \User $user = null){
-    if(!is_numeric($entityId)) throw new Exception('Invalid entityId');
+    if(!is_numeric($entityId)){
+        throw new Exception('Invalid entityId');
+    }
 
     $ownedEntity = \Factory::getOwnedEntityService()->getOwnedEntityById($entityId);
 
     // build model to be passed to view (a parameter map/array)  
     $params['entityName'] = $ownedEntity->getName(); 
     $params['entityType'] = \Factory::getOwnedEntityService()->getOwnedEntityDerivedClassName($ownedEntity);
     $params['objectId'] = $entityId;
-    $params['roles'] = \Factory::getRoleService()->getRoleTypeNamesForOwnedEntity($ownedEntity);
+    // array ([0] => array(RoleTypeName => ProjectName)) 
+    $roleTypesAndProj = \Factory::getRoleService()->getRoleTypeNamesForOwnedEntity($ownedEntity);
+    $params['roles'] = $roleTypesAndProj;
+    //print_r($params['roles']); 
+
     show_view('political_role/request_role.php', $params);
     die(); 
 }

diff --git a/htdocs/web_portal/controllers/political_role/view_requests.php b/htdocs/web_portal/controllers/political_role/view_requests.php
@@ -80,7 +80,13 @@ function view_requests() {
         $grantRejectRoleNamesArray['deny'] = ''; 
 
         // get list of roles that allows user to to grant the role request
-        $grantRoleAuthorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::GRANT_ROLE, $r->getOwnedEntity(), $user); 
+        //$grantRoleAuthorisingRoleNames = \Factory::getRoleService()->authorize Action(\Action::GRANT_ROLE, $r->getOwnedEntity(), $user); 
+        $grantRoleAuthorisingRoles = \Factory::getRoleActionAuthorisationService()->authoriseAction(\Action::GRANT_ROLE, $r->getOwnedEntity(), $user); 
+        $grantRoleAuthorisingRoleNames = array(); 
+        foreach($grantRoleAuthorisingRoles as $grantRole){
+            $grantRoleAuthorisingRoleNames[] = $grantRole->getRoleType()->getName(); 
+        }
+
         if(count($grantRoleAuthorisingRoleNames)>=1){
             $allAuthorisingRoleNames = ''; 
             foreach($grantRoleAuthorisingRoleNames as $arName){
@@ -89,9 +95,18 @@ function view_requests() {
             $allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames)-2);  
             $grantRejectRoleNamesArray['grant'] = '['.$allAuthorisingRoleNames.']'; 
         } 
-
+        if($user->isAdmin()){
+           $grantRejectRoleNamesArray['grant'] = 'GOCDB ADMIN ' . $grantRejectRoleNamesArray['grant']; 
+        }
+
         // get list of roles that allows user to reject the role request
-        $denyRoleAuthorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::REJECT_ROLE, $r->getOwnedEntity(), $user); 
+        //$denyRoleAuthorisingRoleNames = \Factory::getRoleService()->authorize Action(\Action::REJECT_ROLE, $r->getOwnedEntity(), $user); 
+        $denyRoleAuthorisingRoles = \Factory::getRoleActionAuthorisationService()->authoriseAction(\Action::REJECT_ROLE, $r->getOwnedEntity(), $user);  
+        $denyRoleAuthorisingRoleNames = array();  
+        foreach($denyRoleAuthorisingRoles as $denyingRole){
+          $denyRoleAuthorisingRoleNames[] = $denyingRole->getRoleType()->getName();   
+        } 
+
         if(count($denyRoleAuthorisingRoleNames)>=1){
            $allAuthorisingRoleNames = ''; 
             foreach($denyRoleAuthorisingRoleNames as $arName){
@@ -100,6 +115,9 @@ function view_requests() {
             $allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames)-2);  
             $grantRejectRoleNamesArray['deny'] = '['.$allAuthorisingRoleNames.']'; 
         }
+        if($user->isAdmin()){
+           $grantRejectRoleNamesArray['deny'] = 'GOCDB ADMIN ' . $grantRejectRoleNamesArray['deny']; 
+        }
         // store array of role names in decorator object 
         $r->setDecoratorObject($grantRejectRoleNamesArray); 
     }

diff --git a/htdocs/web_portal/controllers/project/view_project.php b/htdocs/web_portal/controllers/project/view_project.php
@@ -45,9 +45,12 @@ function show_project() {
     $dn = Get_User_Principle();
     $user = \Factory::getUserService()->getUserByPrinciple($dn);
     $params['ShowEdit'] = false;  
-    if(count($serv->authorizeAction(\Action::EDIT_OBJECT, $project, $user))>=1){
-       $params['ShowEdit'] = true;  
+    if (\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $project, $user))  {
+        $params['ShowEdit'] = true;
     }
+//    if(count($serv->authorize Action(\Action::EDIT_OBJECT, $project, $user))>=1){
+//       $params['ShowEdit'] = true;  
+//    }
 
     $params['authenticated'] = false; 
     if($user != null){

diff --git a/htdocs/web_portal/controllers/service/add_service.php b/htdocs/web_portal/controllers/service/add_service.php
@@ -75,25 +75,28 @@ function draw($user) {
         if ($site == null) {
             throw new Exception('Invalid site');
         }
-        if (count(\Factory::getSiteService()->authorizeAction(\Action::SITE_ADD_SERVICE, $site, $user)) == 0) {
+        //if (count(\Factory::getSiteService()->authorize Action(\Action::SITE_ADD_SERVICE, $site, $user)) == 0) {
+        if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::SITE_ADD_SERVICE, $site, $user) == FALSE){
             throw new Exception('You do not have permission to add a service to this site');
         }
     }
 
     // Add sites which user has required action permission to array. 
     $allUserSites = \Factory::getUserService()->getSitesFromRoles($user);
-    $sites = array(); 
-    foreach ($allUserSites as $s) {
-        if (count(\Factory::getSiteService()->authorizeAction(\Action::SITE_ADD_SERVICE, $s, $user)) != 0) {
-           $sites[] = $s; 
-        } 
+    $sites = array();
+    if (!$user->isAdmin()) {
+        foreach ($allUserSites as $s) {
+            //if (count(\Factory::getSiteService()->authorize Action(\Action::SITE_ADD_SERVICE, $s, $user)) != 0) {
+            if (\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::SITE_ADD_SERVICE, $s, $user)) {
+                $sites[] = $s;
+            }
+        }
     }
-
     //For admin users, return all sites instead.
-    if($user->isAdmin()){
-       $sites = \Factory::getSiteService()->getSitesBy();
+    else {
+        $sites = \Factory::getSiteService()->getSitesBy();
     }
-    
+
     if(count($sites)==0 and !$user->isAdmin()){
       throw new Exception("You need at least one NGI or Site level role to add a new service.");  
     }

diff --git a/htdocs/web_portal/controllers/service/edit_service.php b/htdocs/web_portal/controllers/service/edit_service.php
@@ -67,8 +67,9 @@ function draw(\User $user = null) {
 	$serv = \Factory::getServiceService();
 	$se = $serv->getService($id);
 
-	if(count(Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) == 0){
-       throw new \Exception("You do not have permission over $se."); 
+	//if(count(Factory::getServiceService()->authorize Action(\Action::EDIT_OBJECT, $se, $user)) == 0){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $se->getParentSite(), $user)==FALSE){
+       throw new \Exception("You do not have permission over $se.");  
     }
 
     $configservice = \Factory::getConfigService();

diff --git a/htdocs/web_portal/controllers/service/view_service.php b/htdocs/web_portal/controllers/service/view_service.php
@@ -25,9 +25,13 @@ function view_se() {
 
     // Does current viewer have edit permissions over object ?
     $params['ShowEdit'] = false;  
-    if($user != null && count($serv->authorizeAction(\Action::EDIT_OBJECT, $se, $user))>=1){
-       $params['ShowEdit'] = true;  
+//    if($user != null && count($serv->authorize Action(\Action::EDIT_OBJECT, $se, $user))>=1){
+//       $params['ShowEdit'] = true;  
+//    } 
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $se->getParentSite(), $user)){
+       $params['ShowEdit'] = true;   
     } 
+
 
     $title = $se->getHostName() . " - " . $se->getServiceType()->getName();
     $params['se'] = $se;

diff --git a/htdocs/web_portal/controllers/service/view_service_endpoint.php b/htdocs/web_portal/controllers/service/view_service_endpoint.php
@@ -22,13 +22,18 @@ function view_endpoint() {
     $serv = \Factory::getServiceService();
 
     $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
+    /* @var $endpoint \EndpointLocation */
     $endpoint = $serv->getEndpoint($id);
+    /* @var $service \Service */
+    $service = $endpoint->getService(); 
+    $site = $service->getParentSite(); 
 
     // Does current viewer have edit permissions over object ?
     $params['ShowEdit'] = false;  
-    if(count($serv->authorizeAction(\Action::EDIT_OBJECT, $endpoint->getService(), $user))>=1){
+    //if(count($serv->authorize Action(\Action::EDIT_OBJECT, $endpoint->getService(), $user))>=1){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $site, $user)){
        $params['ShowEdit'] = true;  
-    } 
+    }
 
     $title = $endpoint->getName();
     $params['endpoint'] = $endpoint;

diff --git a/htdocs/web_portal/controllers/service_group/add_ses.php b/htdocs/web_portal/controllers/service_group/add_ses.php
@@ -59,10 +59,11 @@ function draw(\User $user = null) {
     // Check the user is authorized to perform this operation
     //try { $serv->editAuthorization($sg, $user); } catch(Exception $e) {
     //    show_view('error.php', $e->getMessage()); die(); }
-    if(count($serv->authorizeAction(\Action::EDIT_OBJECT, $sg, $user))==0){
-       show_view('error.php', 'You do not have permission to edit this ServiceGroup'); 
-       die(); 
-    }    
+    //if(count($serv->authorize Action(\Action::EDIT_OBJECT, $sg, $user))==0){
+    if (\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $sg, $user) == FALSE)  {
+        show_view('error.php', 'You do not have permission to edit this ServiceGroup');
+        die();
+    }
 
     // Check to see whether to show the link to "add a new SE to this virtual site"
     if(\Factory::getConfigService()

diff --git a/htdocs/web_portal/controllers/service_group/edit_service_group.php b/htdocs/web_portal/controllers/service_group/edit_service_group.php
@@ -79,7 +79,7 @@ function draw(\User $user = null) {
     $sg = $serv->getServiceGroup($_REQUEST['id']);
     //try { $serv->editAuthorization($sg, $user); } catch(Exception $e) {
     //	show_view('error.php', $e->getMessage()); die(); }
-    if(count($serv->authorizeAction(\Action::EDIT_OBJECT, $sg, $user))==0){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $sg, $user) == FALSE){
        show_view('error.php', 'You do not have permission to edit this ServiceGroup'); 
        die(); 
     }

diff --git a/htdocs/web_portal/controllers/service_group/remove_ses.php b/htdocs/web_portal/controllers/service_group/remove_ses.php
@@ -59,7 +59,8 @@ function draw(\User $user = null) {
 	// Check the user is authorized to perform this operation
 	//try { $serv->editAuthorization($sg, $user); } catch(Exception $e) {
 	//    show_view('error.php', $e->getMessage()); die(); }
-    if(count($serv->authorizeAction(\Action::EDIT_OBJECT, $sg, $user))==0){
+    //if(count($serv->authorize Action(\Action::EDIT_OBJECT, $sg, $user))==0){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $sg, $user) == FALSE){
        show_view('error.php', 'You do not have permission to edit this ServiceGroup'); 
        die(); 
     }

diff --git a/htdocs/web_portal/controllers/service_group/view_sgroup.php b/htdocs/web_portal/controllers/service_group/view_sgroup.php
@@ -38,7 +38,8 @@ function showServiceGroup() {
 
     // Does current viewer have edit permissions over object ?
     $params['ShowEdit'] = false;  
-    if(count( \Factory::getServiceGroupService()->authorizeAction(\Action::EDIT_OBJECT, $sGroup, $user))>=1){
+    //if(count( \Factory::getServiceGroupService()->authorize Action(\Action::EDIT_OBJECT, $sGroup, $user))>=1){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $sGroup, $user)){
        $params['ShowEdit'] = true;  
     } 
 

diff --git a/htdocs/web_portal/controllers/site/edit_cert_status.php b/htdocs/web_portal/controllers/site/edit_cert_status.php
@@ -59,7 +59,8 @@ function draw(\User $user = null) {
 
     //try { \Factory::getCertStatusService()->editAuthorization($site, $user);
     //} catch (\Exception $e) { show_view('error.php', $e->getMessage()); die(); }
-    if(count(\Factory::getSiteService()->authorizeAction(Action::SITE_EDIT_CERT_STATUS, $site, $user))==0 ){
+    //if(count(\Factory::getSiteService()->authorize Action(Action::SITE_EDIT_CERT_STATUS, $site, $user))==0 ){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::SITE_EDIT_CERT_STATUS, $site, $user) == FALSE){
        show_view('error.php', 'You do not have permission to change site certification status.'
                ." Either an NGI level role on the parent NGI, or a Project level role on one of the parent NGIs owning projects is required."); 
        die(); 

diff --git a/htdocs/web_portal/controllers/site/edit_site.php b/htdocs/web_portal/controllers/site/edit_site.php
@@ -57,9 +57,10 @@ function draw(\User $user = null) {
     /*Old way: try { \Factory::getSiteService()->edit Authorization($site, $user);
     } catch(Exception $e) { show_view('error.php', $e->getMessage()); die(); }*/
 
-    if(count($serv->authorizeAction(Action::EDIT_OBJECT, $site, $user)) == 0){ 
+    //if(count($serv->authorize Action(Action::EDIT_OBJECT, $site, $user)) == 0){ 
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $site, $user) == FALSE){
         throw new Exception('You do not have permission to edit this Site');
-    } //else { print_r($serv->authorizeAction(Action::EDIT_OBJECT, $site, $user));}
+    } 
 
 
     $countries = $serv->getCountries();

diff --git a/htdocs/web_portal/controllers/site/view_site.php b/htdocs/web_portal/controllers/site/view_site.php
@@ -36,7 +36,8 @@ function view_site() {
 
     // Does current viewer have edit permissions over Site ?
     $params['ShowEdit'] = false;  
-    if(count($serv->authorizeAction(\Action::EDIT_OBJECT, $site, $user))>=1){
+    //if(count($serv->authorize Action(\Action::EDIT_OBJECT, $site, $user))>=1){
+    if(\Factory::getRoleActionAuthorisationService()->authoriseActionAbsolute(\Action::EDIT_OBJECT, $site, $user)){
        $params['ShowEdit'] = true;  
     }